When Michigan enacted Act 378 of 1988, the digital streaming revolution was still decades away. Video rental stores lined shopping centers, and the idea that websites would one day track and share viewing habits seemed like science fiction. Yet this state law, formally known as the “Preservation of Personal Privacy Act,” has become increasingly relevant in our modern digital landscape, where every click, view, and scroll generates data that companies collect, analyze, and share.
Get a free privacy audit to see how your website complies with Michigan and other privacy laws.
Michigan’s Video Privacy Laws: From VHS Tapes to Website Tracking
Michigan’s video privacy statute operates alongside the federal Video Privacy Protection Act (VPPA), creating a dual-layer framework that protects residents’ viewing information from unauthorized disclosure. As courts expand interpretations of these protections to encompass modern streaming platforms, social media integrations, and website analytics, Michigan’s law has emerged as a powerful tool for protecting digital privacy—and a significant source of litigation risk for businesses operating in the state.
The Origins: Act 378 of 1988 and the Preservation of Personal Privacy
Michigan’s Preservation of Personal Privacy Act was enacted during the same era that produced the federal VPPA, responding to similar concerns about the privacy of consumer viewing habits. The law establishes strict controls over how video service providers handle personally identifiable information related to video rentals and purchases.
The Michigan statute prohibits video service providers from knowingly disclosing personally identifiable information about customers without proper consent. This includes information that identifies a person as having requested or obtained specific video materials or services. The law applies broadly to any business engaged in the rental, sale, or delivery of video materials, encompassing traditional video rental stores, online streaming services, and other platforms that provide video content to Michigan residents.
Like its federal counterpart, Michigan’s law was motivated by recognition that viewing habits reveal intimate details about people’s lives, interests, beliefs, and values. The videos someone watches can expose their political leanings, religious beliefs, sexual orientation, health concerns, and countless other personal attributes. Michigan legislators understood that this sensitive information deserved special protection beyond general privacy laws.
The statute creates a private right of action, allowing individuals whose information is improperly disclosed to sue for damages. This enforcement mechanism has proven crucial, as it enables affected consumers to vindicate their rights without relying solely on government enforcement. Successful plaintiffs can recover actual damages, liquidated damages, punitive damages in cases of willful violations, and attorney’s fees, creating significant incentives for compliance.
Michigan Privacy Law Requirements
Scope of Protected Information
Michigan’s video privacy law protects “personally identifiable information,” defined as information that identifies a person as having requested or obtained specific video materials or services. This encompasses not just names and addresses but any information that, when combined with viewing data, can identify an individual. The protection extends to rental history, purchase records, viewing patterns, and related personal information maintained by video service providers.
The law recognizes that identification can occur through various means beyond direct naming. Account numbers, IP addresses, device identifiers, email addresses, and other unique identifiers that link viewing behavior to specific individuals all constitute personally identifiable information when associated with video content selections. This broad interpretation has become particularly important as tracking technologies have grown more sophisticated.
Permitted Disclosures and Exceptions
The statute isn’t absolute—it permits certain disclosures under specific circumstances. Video service providers may disclose customer information to the customer themselves, with informed written consent from the customer that’s obtained at the time of disclosure, to law enforcement pursuant to a court order or warrant, or as necessary to collect debts or enforce terms of service, subject to limitations.
The consent exception requires particular attention. Consent must be informed, meaning customers understand what information will be disclosed, to whom it will be disclosed, and for what purposes. Written consent must be obtained separately for each disclosure or category of disclosures, and blanket consent buried in terms of service agreements has faced judicial skepticism. The consent must be contemporaneous with the disclosure, not obtained long before actual sharing occurs.
Prohibited Practices
The law explicitly prohibits several practices that video service providers might otherwise be tempted to pursue. Providers cannot disclose viewing information for direct marketing purposes without explicit consent, create profiles of customer viewing habits for sale to third parties, share customer data with advertisers or data brokers absent proper authorization, or retain personally identifiable information longer than necessary for legitimate business purposes.
These prohibitions address the fundamental concern that drove the law’s enactment: the risk that viewing information would be commodified and traded without customer knowledge or consent. As data has become increasingly valuable and the data broker industry has exploded, these restrictions have grown more important.
The 2016 Amendments: Clarification and Modernization
Michigan amended its video privacy statute in 2016 to address ambiguities that had emerged since the law’s original enactment and to account for technological changes in how video content is delivered. While the core protections remained intact, the amendments clarified several important aspects of the law’s application.
Definitional Updates
The 2016 amendments refined key definitions to better reflect modern video distribution models. The definition of “video service provider” was clarified to encompass streaming services, video-on-demand platforms, and other digital distribution methods beyond traditional rental stores. This ensured the law’s protections extended to Netflix, Hulu, YouTube, and similar platforms serving Michigan residents.
The amendments also addressed what constitutes “personally identifiable information” in the digital age, confirming that online identifiers and digital tracking mechanisms fall within the law’s scope. This clarification proved prescient as tracking technologies became increasingly central to how video platforms operate and monetize content.
Consent Requirements
The amendments strengthened consent requirements, specifying that consent obtained through “clickwrap” agreements—where users click “I agree” to lengthy terms of service—must meet standards of informed consent. The law requires that disclosures about information sharing be clear, conspicuous, and separate from general terms of service. Burying notice of video data sharing in paragraph 47 of a terms of service document that users routinely ignore doesn’t constitute valid consent.
Retention Limitations
Updated provisions addressed how long video service providers can retain personally identifiable information. The amendments established that retention must be limited to periods necessary for legitimate business purposes and that providers must implement reasonable data destruction policies. Indefinite retention of viewing histories without business justification violates the statute’s protections.
Modern Litigation: Video Privacy Laws in the Digital Age
Michigan’s video privacy statute, along with the federal VPPA, has generated extensive litigation as courts grapple with applying decades-old laws to modern technologies. The core question in many cases is whether digital tracking, analytics sharing, and social media integrations constitute prohibited disclosures of viewing information.
The Evolution of Video Privacy Class Actions
Video privacy litigation exploded in the 2010s as plaintiffs’ attorneys recognized that streaming platforms and websites were sharing viewing data with third parties through various tracking technologies. Common factual patterns in these cases include streaming platforms that integrate Facebook pixels or Google Analytics on video pages, allowing these third parties to see what content users view; websites that embed YouTube or Vimeo videos and share viewer information with these platforms; mobile apps that track which videos users watch and share this data with advertising networks; and smart TV manufacturers that collect and share viewing information from their devices.
These practices, often invisible to users, potentially violate video privacy statutes by disclosing personally identifiable viewing information to third parties without proper consent. The fact that sharing occurs through automated technical integrations rather than manual disclosures doesn’t exempt it from the law’s requirements.
Key Legal Questions and Interpretations
Courts have addressed several critical questions in video privacy litigation. A central issue is what constitutes a “video service provider” under the statute. Early cases debated whether websites that merely host video content alongside other material qualify as video service providers. Michigan courts have generally adopted broad interpretations, finding that any entity that provides video content to users can be a video service provider for purposes of the law, even if video isn’t their primary business.
Another key question is what level of identification is required for information to be “personally identifiable.” Must it include a person’s actual name, or are online identifiers like IP addresses, cookies, or device IDs sufficient? Courts have increasingly recognized that modern identification doesn’t require knowing someone’s legal name—if information can be linked to a specific individual through technical means, it’s personally identifiable.
The consent defense has generated substantial litigation. Video service providers often argue that general terms of service or privacy policies constitute consent to data sharing. Courts scrutinize these arguments carefully, examining whether users were truly informed about specific disclosures, whether consent was meaningfully voluntary, and whether the timing and specificity requirements were met.
Notable Michigan Cases and Rulings
Michigan courts have issued several significant decisions interpreting video privacy protections. While specific case names and outcomes evolve, certain patterns have emerged in Michigan jurisprudence. Courts have shown willingness to allow video privacy claims to proceed to discovery and trial rather than dismissing them at early stages, recognition that automated technical sharing of viewing data can constitute disclosure under the statute, skepticism toward arguments that general privacy policies provide sufficient consent for all data sharing, and acknowledgment that the law must adapt to protect privacy in modern digital contexts.
These rulings have made Michigan a relatively plaintiff-friendly jurisdiction for video privacy litigation, encouraging more cases to be filed in Michigan courts and increasing compliance pressure on video service providers operating in the state.
Institutional and Higher Education Implications
An important development in video privacy litigation has been its expansion beyond consumer streaming services to institutional contexts, particularly in higher education. Universities, colleges, and other educational institutions increasingly embed videos in their websites, use learning management systems with video capabilities, and integrate third-party video platforms into their digital properties.
University Website Tracking Cases
Several recent cases have targeted universities for video-related tracking on their websites. These lawsuits typically allege that when prospective students, current students, or other visitors view videos on university websites—such as campus tours, informational videos, or academic content—the universities share viewing information with Facebook, Google, or other third parties through embedded tracking pixels.
The plaintiffs argue that universities act as video service providers when they make videos available through their websites and that sharing viewing data with advertising platforms violates video privacy statutes. Universities counter that they’re educational institutions, not video providers, and that any data sharing serves legitimate purposes like understanding website usage and improving user experience.
These cases raise challenging questions about the scope of video privacy laws in institutional contexts. Should a university website be treated the same as Netflix or YouTube? Do educational purposes create different expectations around data sharing? How do legitimate website analytics fit with privacy protections?
Learning Management Systems and EdTech
The expansion of online education has created additional video privacy concerns around learning management systems and educational technology platforms. When students watch recorded lectures, instructional videos, or other educational content through systems like Canvas, Blackboard, or Zoom, detailed viewing data is generated. Questions arise about who controls this data, how it can be used, and whether sharing it with platform providers or third parties violates video privacy protections.
Educational institutions often argue that viewing data helps them understand student engagement, identify struggling students, and improve educational outcomes. However, this beneficial purpose doesn’t necessarily authorize sharing of viewing information with third parties for advertising, analytics, or other purposes beyond the educational relationship.
Compliance Challenges for Educational Institutions
Universities and schools face particular compliance challenges with video privacy requirements. Unlike commercial streaming services built around subscriber agreements and explicit privacy notices, educational institutions have complex relationships with multiple constituencies—prospective students, current students, alumni, employees, and the general public—all of whom may view videos on institutional websites.
Obtaining proper consent from these diverse audiences while maintaining usable, effective websites requires careful design of consent mechanisms, clear and prominent privacy notices, granular controls over analytics and tracking, and regular audits of video-related data sharing. Many institutions are retrofitting privacy protections onto websites designed without video privacy laws in mind, a challenging remediation process.
Michigan’s Video Rental Privacy Act: Mirroring Federal Protections
Beyond Act 378, Michigan maintains its own Video Rental Privacy Act (MCL 445.1711 et seq.), a separate statute that closely mirrors the federal Video Privacy Protection Act while adding state-specific provisions. This dual-track approach provides Michigan residents with comprehensive protections under both state and federal law.
The Michigan Video Rental Privacy Act prohibits video tape service providers—defined similarly to the federal law—from disclosing personally identifiable information about customers without consent. The statute creates its own private right of action, allowing individuals to sue for violations and recover damages. While substantially similar to the VPPA, Michigan’s version includes some state-specific language and procedural requirements.
Having parallel state and federal video privacy laws creates overlapping protections that reinforce each other. Plaintiffs can bring claims under both statutes simultaneously, and even if a court finds technical grounds to dismiss federal VPPA claims, state law claims may still proceed. This redundancy strengthens privacy protections and increases compliance risks for entities that violate video privacy principles.
Recent Federal VPPA Interpretations and Michigan Impact
Michigan courts have been influenced by recent federal court rulings that significantly expanded interpretations of the Video Privacy Protection Act to address modern data sharing practices. These decisions have important implications for how Michigan’s parallel video privacy statutes are interpreted and applied.
Expansion to Website Tracking and Analytics
Federal courts have increasingly recognized that when websites with video content share viewing information with third parties like Facebook or Google through pixels, APIs, or other integrations, this constitutes “disclosure” under the VPPA. Early arguments that automated technical sharing didn’t qualify as disclosure have largely been rejected. Courts understand that whether data is shared through manual processes or automated systems is irrelevant to the privacy harm.
This expansion has dramatic implications for websites that embed videos and use common tracking technologies. A university website with an embedded campus tour video and Facebook pixel may be disclosing viewing information in violation of video privacy laws, even if no human at the university or Facebook ever looks at the data and even if it’s shared purely for aggregate analytics purposes.
Broad Interpretation of “Video Service Provider”
Federal courts have adopted broad interpretations of what constitutes a video service provider under the VPPA, finding that websites don’t need to be exclusively or primarily focused on video content to qualify. If a website makes video content available to users—even as one feature among many—it can be a video service provider for purposes of the statute.
Michigan courts have followed similar interpretive paths, recognizing that limiting video privacy laws to traditional video rental businesses would defeat their purpose in the modern digital landscape. Universities, media companies, e-commerce sites, and countless other entities that incorporate video into their online presence can be video service providers subject to these laws’ requirements.
Implications for Higher Education and Beyond
These expansive interpretations have significant implications for Michigan institutions, particularly in higher education. Universities that once viewed video privacy laws as relevant only to commercial entertainment services now face potential liability for common website practices. The same applies to healthcare providers with educational videos, businesses with product demonstrations, media organizations with news clips, and countless other entities.
The shift requires these organizations to carefully audit their video-related data practices, implement proper consent mechanisms or eliminate non-consensual data sharing, review and potentially renegotiate agreements with analytics and advertising vendors, and train staff on video privacy compliance requirements. For many organizations, particularly those in education and other non-commercial sectors, this represents a significant compliance challenge.
Practical Compliance Strategies
Organizations subject to Michigan’s video privacy laws must implement comprehensive compliance programs to manage litigation risk and protect consumer privacy. Effective strategies include several key components.
Conduct Comprehensive Video Data Audits
Start by identifying all locations where your organization provides video content to users—websites, mobile apps, learning management systems, social media channels, and any other platforms. Map how viewing data flows from these platforms to third parties, documenting every integration, pixel, API, or other mechanism that shares information with external entities.
Understanding your current data practices is essential before you can remediate violations or implement proper consent mechanisms. Many organizations discover during audits that they’re sharing viewing information in ways they didn’t realize through tracking technologies implemented by marketing teams or through third-party platforms with their own data collection practices.
Implement Proper Consent Mechanisms
If you choose to continue sharing viewing information with third parties, implement consent mechanisms that meet video privacy law requirements. This means providing clear, specific notice about what viewing information will be shared, with whom it will be shared, and for what purposes; obtaining affirmative, informed consent through clear user action rather than buried terms of service; making consent granular so users can allow some sharing while prohibiting other disclosures; and documenting consent with timestamps and records that demonstrate compliance.
Consider whether consent-based models are feasible for your use case. For some organizations, particularly those serving diverse audiences or providing public content, obtaining proper consent from all viewers may be impractical.
Alternative: Eliminate Non-Consensual Sharing
The most straightforward compliance approach is eliminating sharing of viewing information with third parties absent proper consent. This means removing pixels, tags, and integrations that send viewing data to advertising platforms or analytics services, configuring video players and platforms to prevent automatic data sharing, using privacy-preserving analytics that don’t share personally identifiable viewing information, and limiting data collection to what’s necessary for video delivery and internal operations.
While this approach may require sacrificing some marketing analytics or advertising capabilities, it eliminates video privacy litigation risk and demonstrates genuine commitment to user privacy.
Review and Update Privacy Policies
Ensure your privacy policies accurately describe video-related data practices, provide specific information about video data sharing rather than general statements, explain user rights regarding viewing information, and include instructions for exercising privacy rights like accessing or deleting viewing data.
Privacy policies shouldn’t be compliance theater—they should accurately reflect actual practices and provide meaningful information to users about how their viewing information is handled.
Establish Data Retention and Deletion Policies
Implement policies that limit how long viewing information is retained, establish procedures for securely deleting viewing data when retention periods expire, respond promptly to user requests to delete their viewing information, and document retention policies and deletion practices for compliance purposes.
Indefinite retention of viewing histories without business justification increases both privacy risks and legal exposure under video privacy statutes that require limiting retention to legitimate business purposes.
Train Staff and Establish Governance
Create internal governance structures for video privacy compliance including clear assignment of responsibility for managing video privacy requirements, training for marketing, IT, and other teams that implement video-related technologies, review processes for new video initiatives or integrations before launch, and regular compliance monitoring and auditing.
Video privacy compliance can’t be a one-time project—it requires ongoing attention as your video offerings evolve and new technologies are implemented.
The Future of Video Privacy Protection
Michigan’s video privacy laws, enacted when videocassettes represented cutting-edge technology, have proven remarkably adaptable to the digital age. As courts continue expanding interpretations to address modern data sharing practices, these statutes will likely remain relevant and generate continued litigation.
Several trends will shape the future of video privacy protection. Expect more expansive interpretations of what constitutes video service providers and personally identifiable information, increased scrutiny of consent mechanisms with higher standards for informed, voluntary agreement, growing recognition that automated data sharing through pixels and APIs constitutes disclosure, and application of video privacy principles to emerging technologies like connected TVs, virtual reality, and new streaming platforms.
Organizations providing video content to Michigan residents must stay alert to these developments and maintain robust compliance programs. The alternative—ignoring video privacy requirements until litigation strikes—exposes organizations to substantial damages, negative publicity, and the expense of emergency remediation under court supervision.
Michigan’s video privacy laws demonstrate how thoughtful legislation, even when enacted in a vastly different technological era, can evolve through judicial interpretation to protect privacy in contemporary contexts. As viewing moves increasingly online and data sharing becomes more pervasive, these protections serve as important guardrails ensuring that the intimate insights revealed by our viewing choices remain private absent meaningful consent to their disclosure.
